MAC-TR-11 


MASSACHUSETTS INSTITUTE OF TECHNOLOGY 


PROJECT MAC 


PROGRAM STRUCTURE IN A 
MULTI-ACCESS COMPUTER 


by 


J.B. Dennis 


"Work reported herein was supported (in part)by Project MAC, 
an M.I.T. research program sponsored by the Advanced Research 
Projects Agency, Department gf Defense, under Office of Naval 
Research Contract Number Nonr-4102(01). Reproduction in whole 
or in part is permitted for any purpose of the United States 


Government." 


This empty page was substituted for a 
blank page tn the original document. 


a 


I. Introduction 


A multi-access computer (MAC) system consists of processing units 
and directly addreasable main memory in which procedure information is 


interpreted as sequences of operations on data, a system of terminal devices 
through which users may communicate with procedures operating for them, and 


mass memory where procedures and data may be held when not required for 


immediate reference. One fundamental attraction of the MAC concept is the 


increased productivity of "computer catalyzed research'"* that results from 
close man-machine interaction. Another attraction is wealth of data and 
procedures that are accessible to a large user community through the file 


memory of a MAC system. 


The practicality of the MAC concept depends on the idea that the 
power of a large computer system should be a better match to the union of 
many diverse tasks than it is to any particular one. The amount of main 
memory actually required for efficient execution of a procedure varies from 
a few hundred words to many times the size of memories in existing machines, 
depending on the nature of the procedure. Moreover, the memory requirement 
of a procedure typically varies over a wide range during its execution. If 


a number of diverse procedures can share a large main memory, the total 


memory requirement will be subject to less fluctuation with time in conse- 


quence of the statistics of sums. Procedures also differ in the frequency 
with which interactions with the machine environment interrupt processes 
in execution, and the length of pauses that result. If many processes are 


available for execution in a machine structure, the statistics will insure 


that the processing units of the system will be kept more fully occupied 
than would otherwise be possible. 


* with apologies to E.E. David 
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For a computer system that places particular emphasis on strong inter- 
action with a user community, it is evident that memory and processing capacity 
must be freely reassignable among the active processes. The time scale 
desirable for reallocation events to take place in a MAC system is certain 
to be several orders of magnitude beyond what has been accomplished or con- 


templated with existing systems. 


The formulation of a computer system organization and operating 
philosophy raises many important questions. Two broad issues concern us 
‘ 


in this paper: 


1. What features of machine design are necessary or desirable to 
facilitate dynamic allocation of computation resources among many concurrent 


processes? 


2. What are appropriate policies for governing the allocation of 
machine resources to insure their effective utilization, and through what 


techniques should these policies be implemented? 


For evaluation of machine organization and features, and for realistic 
study of the resource allocation problem, a suitable model of program struc- 
ture is required. It is no longer adequate to consider a program as occupying 
a single block of memory and requiring a specific length of time for execution, 
The varying demand of a program for space in main memory, the referencing of 
common procedures, data, and files by several programs, the possibilities of 
parallel processing, and the rate of interaction with environment in a MAC 


system require a more sophisticated view of program structure. 


In the following paragraphs some thoughts are developed that may form 
a reasonably adequate model of program structure. These concepts have grown 
out of many discussions with colleagues in Project MAC*, and our experience 
to date in the design and operation of multi-access computer systems. '?? The 
work on dynamic storage allocation reported by the Atlas group” at Manchester 
and the Rice University group are pioneering steps toward the objective of 
our research. The formulation of the storage allocation problem in terms of 
segments of memory and phases of execution by Holt has been very influential 


on our thinking. At this writing, the ideas do not form a consistent whole, 


* and E, Van Horn in particular 
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| ‘segment, as procedure and one or more segments aa data, Observe. that the. 
fe pure. procedure. convention for Procedure . , 


: ae actively reference the same procedure culate withent, interference, - Pde 


segments ate, in wo ‘working status. From the progr 
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nh phase” of his procedure, Traneition of a process. from one phase to another 
SS occurs when a new segment must join the working group, or a } working segment. 
< | is dropped. from the ‘Broup. 
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5) read only data - the segment contains data that. may be referenced 
by a ales Ete process ay not modified. 


In ‘this discussion it. is assumed ‘that procedure segments are ‘ta. pu re 


A segment ‘baie actively, referenced as procedure by a ‘processing watt 


_ of ‘the computer system is said to be dn sxecution. We will use. the term. 
~ process to denote the act of executing a ‘eingle ‘pequence of instructions 
taken from ‘@ succession of procedure eaguenta,, An. & multi-processor. computer 
aystem, a a “number: of processes may be in execution simultaneously, 


At any instruction atep a process de actively. referencing exactly one 


te permite several processes. 
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a of | new. deta’ segnente or ; rand-only data segments. 
2)" Erasing an existing segment. ee: 
3) Initiation of a new process . =~, afore 

4) Termination of the process. 
> Entering a ‘segment in the working collestion. 

6) ‘Deleting a a segment ‘from the. wor! tic 
Ty: Requesting. assignment or release of an a input/output device. 
8) Changing the length of a ‘date segnent. 


“The form taken by the name of * sequent to working: ‘process. vill: depend anes 
on means chosen to make tefenences te. magnenes- affective duting execution! and 


The form taken by effective segment names wall be. limited in. bic. length 


| by considerations of hardware and. programming economy... Therefore, ‘the number " 


of distinct effective names will. be finite, but must certaialy be lerge 


; - enough to ‘cover all working segments at any time. Since the. cost: of adding : 


a bit to the length of segment names is not reat. and the total number of 
working segments. is unpredictable At. is ‘appropriate to choose a length such | 


“that the expected number of working segments requires only « small fraction 


of al possible effective segment names. 


_ Some degnante: participating in the course of a process are created in ; 
the process itself. Other segnente referenced by, the process constitute. . 
procedure and data objecte. normally residing ia file. memory. We will use 


. the term file n name to ‘designate the descriptor (including the context in 
 Which- the descriptor is used) that selects a procedure or data segment for cs 
. “retrieval from file memory. The set of file names of ecguente ‘ia mn ‘operational 
system will, in general, have an elaborate prefix structure ia consequence of 
“co the hierarchy of user groups, the ‘characteriatics of programming “language 
| systems, and the interrelations among ‘public - procedures. ‘The ‘necessity for 
= this prefix structure makes it difficult 1f not isposeible to specity the 
_ required length of a direct binary encoding of the file names of segments. 


We will say that a segment is ac active e whenever it has. an associated . 


2 effective segment name such that: references to. it arising. during the execution 
ue of any process are effective. If no, effective name is associated. with « 


segment, the segment is inactive. To clarify the meaning of these terms, 


we suppose the computer system is apetatel in euch manner that the following = 
: donditions are met: a Ms 


1) All Segments occupying main memory are active. 

2) The mass memory is divided into two functional. parts - auxiliary — 
Memory and file memory. eae Se aoe 
. 3) All, segments oacupying . euxi tary ‘memory: ave “ective. 
_ 4) ALL segments occupying file memory ave: smactive. 


"Condition 2 is not meant ‘to fap ly that auxiliary, memory and file menory are 
physically distinct in a MAC system, Ina practical realization of a multi- 
access er system the main memory will be Finite tn in sise and, in general, — 
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the eum of all working segpent lengths will ‘substantially. exceed this Cappeity. oe : 


The auxiliary | memory ‘serves’ aa ‘a ‘extension mn of me sis | memory. used ‘to keep working . 
procedure and data s segments ‘not currently “tin main memory for execution, . 


. It is bugoreant to understand that two categories of decisions have: been 
implied by<our discussion®- those made by: ‘the.weer or his. Programing. ‘ayatem, 
anid! executive decisions: made to effect ie eiiahael or. ‘scheduling functions, 


Ps DB) ‘The. decision: of:which segments o have wating | status for a process 
. is patt of the specification of the: process, Thus, these decisions . 
are made by he user or the: ‘angeage syste wiht which he ye | 
“workings: é 


'2) The decision: to gove a segment between main memory Re Riis 
memory is cohcerned with allocation of main mémory. Decisions of 
- this. type: er. ‘executive or* eanerviioty functions of the cyatem,. 


3) The insertion of program forks and the tattiteatson of aceekebia’ 
form part of the description of a preceaate and are specified by 
the designer of the ee 


4): The assignment of piyeiset one units to processes te ae 
supervisoty function.: fas 


Conservation of Effective Names 


The process of making a segment active occurs with the fire. occurence . 


of the segment file name during the execution of any process. At that point . 
an effective segment name must be taken from. a ‘pool of available effective: 
names. “The segment must “be ‘retrieved’ from file memory, and ite association 


with the selected effective name must be entablished to permit working 
references. ; 


ar working segment created ‘through the execution of a process is automat- : 


. ically associated with a unique effective. name. from the pool of effective names, 
‘by the act of its creation. Similarly, a process may erase a segment, thus 


returning its effective name to the pool. A supervisory process wast have the: 
power to revoke nawes issued to a process if the process has: hogged weny hemes 


Qu 


for an excessive time. In normal operation, it would not appear unreasonable 
for a user to retain. some associations of effective names for an extended 


period, perhaps many months, were this required by the nature of his work. 


Spheres of Protection 
One cardinal principle in the design of a MAC system is that a computa- 


tion proceeding for one user must not interfere with correct execution of any 
other computation. Each ongoing process in the computer system is concerned 

at any time with a certain group of procedure and data segments and with certain 
input/output devices, The process must be denied access to segments and devices 
that is not properly authorized. This is necessary so that possibly faulty 
programs may be run in the system without endangering other computations. 
On-line program debugging would not otherwise be practical. It is convenient 

to think of each process as operating within a sphere of protection* contain- 
ing all segments that may be legally referenced and input/output devices with 
which the process is permitted to communicate. References by a process to 
segnents or devices not within the sphere of protection are illegal and result 


in termination of the process. 


It is helpful to think of a sphere of protection B as having been 
established through the action of a process operating in a distinct sphere of 
protection A. In this connection, we shall refer to A as the immediate 


sree eta ere 


superior of B, and B as an immediate inferior of A. We suppose there is 


exactly one sphere of protection that has no immediate superior and is called 


the master sphere. 


“The set of all spheres of protection together with the superior- inferior 
relation form in general, a tree in which the master sphere is the vertex. In 
this tree a sphere A is superior (inferior) to a sphere B if there is a down- 
ward (upward) path in the tree from A to B. In later paragraphs we discuss 
reasons for permitting the hierarchy of spheres of protection to have many 
levels. In relation to the hierarchy of spheres of protection, processes must 
have further powers realized through meta-instructions, If sphere B is an 
immediate inferior to @phere A, 4 proceas in =e be able to: : : 


. a: are | 


* After E. Yan Horn 
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2) create: B. : HE 
2) enter.a segment valid in sphere A as valid in sphére B. 
3) initiate a process in sphere 8B. : 
4) terminate all processes in sphere 3. 
5) delete sphere B, and in consequence all spheres inferior to. » - 


The relation between spheres of protection, aca. ‘not. be e completely 
specified without mention of exceptional Sonditions. . 7 procedure step. os 
encountered by, a process that is meaningless in its. sphere. of. protection 
causes an exceptional condition, Examples. are a reference to an: invalid. 
segment or device name, & non-existent address within. a. segment, ox an. 


| undefined ‘operation code, “An ‘exceptional gondition erising in a: process. 


terminates that process ina initiates. * specific. process in the. immediately 


superior sphere of protection. 


Program Development 


The user of .a MAC system develops a new program by comsuniceting, with: 
a programming language system. Suppose the processes performed by the program 
ming system on behalf of one user are carried out in a distinct sphere of: 
protection we shall. label A for short. . These: processes create @ number of 
segments which are referenced as data. in: -ephere A and constitute the coding: 
of the user's procedure. To perform the user's preéedure; sphere A creates 


an inferior sphere of protection Bin which the segbente of the user's pro- 


gram appear as procedure or data, according to declarations made to the 
programming system, and then initiates « process in ephere B. | Exceptional 
conditions arising in aphere B terminate ‘the precees and reestablish a@. process 
in sphere A. Exceptional conditions should not occur in the ‘execution of the 
language system procedures in sphere A as they are preumably debugged prograns. 
If one does occur a process. is created is the sphere C ans ia tembbiately 


super ior to A, 


The reasons for. Bieta aphere B inferier.to- A rather than directly 
under Cc are several. Firat, it is naturel: that the programing eyeten| in a 
should have the power. of creating, deleting, and allocating resources to 
sphere B. Second, the programming system in A is qware of the interpretation 


to be made for exceptional. conditions. encountered :by: @ process ‘proceeding, in 
iB, whereas exceptional conditions ariaiog. iar the Pengromning, ‘spate tenett 


eaut re action bv.a higher avatem. 
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Clearly, it could readily be desirable to extend the superior-inferior 
relationship to more levels: A user may be debugging a programming language 
system; a teaching program may run under a programming system, and interact 


with many students whose data must be held confidential. 


Allocation and Scheduling 


We assume that it is essential for successful operation of a MAC system 
that the effect of a malfunction (due to either a programming error or a 
transient hardware fault) of a process operating in a sphere of protection 
be confined to itself and processes operating in inferior spheres. Thus, 
modification of segments containing the current allocation of devices ,main 
memory, effective segment names and other system resources, must be disallowed 
for any process except one operating in the master sphere. Thus, a process 
wishing to have a system resource assigned or released from its domain must 


communicate with the master sphere (by means of meta-instructions). 


It is envisioned that processes in the master sphere serve the following 


functions: 


1) Maintain allocation tables and prevent conflicts in assignments. 

2) Maintain queves of processes available for execution and waiting 
for input/output events. 

3) Take appropriate action upon exceptional conditions arising in 
immediately inferior spheres. 

4) Establish and delete spheres of protection inferior to itself in 
response to commands given by staff personnel through a suitable 


private terminal. 


Inferior to the master sphere, several executive systems could exist, 


each within its own sphere of protection. Each system would authorize alloca- 


tion of system resources to spheres inferior to itself, and execute allocation 
and scheduling acts by communicating with the master sphere. One or more of 
the executive systems could be in operation while another was being debugged 
or modified, 


Carrying these thoughts a step further, it is attractive to arrange a 


supervisor in a MAC system so that executive functions are done by modules of 


procedure operating in separate spheres of protection. On- line debvesiag of 
supervisory modules would: then be possible in parallel with normal eysten 
operation. Furthermore, the effects of hardwate or program failures occuring 
in supervisory operation could be confined to a limited part of the supervisory 


system - only master sphere failures ‘would be cacaerecen tt: 


III. Machine Features 


Memory References by a Processing Unit 
‘To exploit the segment structure of programs, it is evident that a. 


processing ‘unit must: supp ly the name of the intended segment. as well as. the. 
address whenever reference is made to hain memory. Including the seguent: 
hame as an extension of the conventional address is impractical for several 
reasons: For any reasonable length of effective segment name, ‘the effictency 
of procedure representation ‘in memory would auffer badly. Secondly, ‘siace 
effective segment names are not assigned until execution time, including them 
directly in the instruction format would require violation. of pure procedure | 
goding. 


A solution is to include several special registers called attachment! - 
registers in the processing unit as in Pigure la. The. data attachment Segisters 
can be loaded with segment names by instructions open to all processes. The . 
typical single address instruction cade format: is then expanded slightly as 
shown in Figure lb.to ‘include a field that selects the data attachment regleter 
containing the segment name pertinent to the data reference of the instruction, 
Procedure references by a processing unit are made to the segment naned in: the 


| procedure attachment register. The procedure attachment register could be’ 


automatically loaded from one of the data attachment registers when | a transfer 


of control or a subroutine entry instruction +. executed. 


Storage Mapping Hardware 
The storage mapping hardware discussed below was devised with the follow 


ing epic tives: 
1) _ It should be possible to redistribute main memory when working ti 
reference to new segments is required without having to move segment 
content between physical memory locations. 
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2) Modification of segment content should not be necessary to preserve 
effective references among segments when the allocation of memory 


is changed. 


These objectives are accomplished by interposing two control memories 
called the segment index and the page index, and some control logic, between 
the processing unit and main memory, as shown in Figure 2. For simplicity 
only one processing unit is presumed, though the principle is equally valid 
for a multiprocessor. system. The segment index contains entries, each 
consisting of a sphere name-segment name pair and a code that indicates the 
nature of references to the segment that are legal within the associated 
sphere of protection. Whenever the process in execution attempts to load 
an attachment register with a new effective segment name, the segment name 
and the sphere of protection are presented to the segment index. This pair 
ts associatively matched against the corresponding fields in the segment 
index. If a match is found, the new segment name is legal— the class code 
is placed in a class indicator associated with the attachment register, and 
-exécution of the process is continued. ‘If no match is found, reference to 
the segment is not valid in the current sphere of protection. This is an 
exceptional condition that terminates the process. From the forgoing, it is 
evident that the attachment registers will only contain segment names to 


- which valid references may be made within the current sphere of protection. 


The page index is used to rename equal-size blocks of main memory, and 
‘contains one entry for each block of main memory. Each segment consists of 
an integral number of block-sized pages. Therefore, an address within a 
segment is broken into the concatenation of a page number and a line number 


within the page. Each entry in the page index memory contains an effective 


7 segment name, a page number and a block number. The block number gives the 


block in main memory where the indicated page of the named segment is to be 
found. When the processing unit makes a reference to main memory, it 
supplies to the page index the name of a segment from one of its attachment 
' Yegisters, and the effective address within the segment generated by normal 
techniques. The effective address is split into page number and line, and 
the segment name and page number are used in an associative look up in the 
page index to find the block number to be used for accessing main memory. 

. The page number and block number are loaded into an extention of the attach- 


ment register so further references to the same page do not require use of 
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the page index. If no match is obtained in the page index, the reference was 
to an address outside the current bounds of the segment and an exceptional 
condition exists. 


The equality searches required cin the segment index and page index 
could be performed by hardware asspciative memories. However, pseudo-assoc ia- 
tive memory realized through conventional location addressed memory and hash 
addressing is presently more economical and probably faster on the average. 
The page index memory must be very fast, asa reference to it is needed for 
a sizable fraction of main memory references. Its size is rather small, 


e.g. 1024 entries for a main memory of 279 words pattitioned into 1024-word 


blocks, The segment index memory does not have to be so fast, but requires 
a number of entries that is dependent of the nature of the processes active 
at any time. The segment index might, itself, be one of the segeents sharing 
the main memory. : 
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